Web App Training

In this fast paced world of DevOps, how can you create apps that are as free of security issues as possible? Join us to find out. As usual, hands on labs, and industry best lectures are what you should expect.

Day 1: On The Attack

The Basics
We start our training session by looking into the technology used in modern web applications. This will include such topics as: HTTP, HTML, CSS, JavaScript, server-side languages and web application architectures. We will also be looking into attack trends and some notable case studies. The goal is learning how web applications work so that we can better understand how they are attacked and how to defend them.

Tools and Introduction to VulnerabilitiesAfter establishing the basics, we will turn our attention to web application vulnerabilities. We will be using the OWASP Top Ten as a guide to delve into the most prevalent web application security vulnerabilities. During this portion we will develop proficiency with industry standard tools such as Burp Suite and OWASP ZAP. We’ll also explore techniques and procedures to help discover potential vulnerabilities. Additionally, we will discussing compiled versus interpreted languages and the different vulnerabilities that each can expose an organization to.

InjectionThe first category we’ll explore is injection, which includes such things as SQL injection (SQLi). This topics looks at the vulnerabilities exposed by an application which uses user-supplied data as it constructs commands for an interpreter. As with each vulnerability that we cover, we establish techniques for discovering the vulnerability, developing proof-of-concept (POC) code and finally prevention techniques. SQLi is one of the most prevalent, and damaging, vulnerabilities that an application can expose.

Cross-Site Scripting (XSS) & Cross-Site Request Forgery (CSRF)Next we’ll focus on client-side attacks by looking into cross-site scripting and cross-site request forgery. Both vulnerabilities allow for attackers to attack other users of your application as well as individual users.

Session Management & AuthenticationSince the web is stateless, session management is a critical component of a modern web application. We’ll end day one by looking into session management as well as authentication and common pitfalls in their implementation. This topic will include two-factor authentication and integrating open authorization standards.

Day 2: A Strong Defense

Writing Better CodeDefending an application begins with writing better code. We’ll begin day two by discussing best programming practices for writing more secure code as well as techniques for identifying potential vulnerabilities during the build process. We’ll also explore using proper encryption and the importance of validating business logic.

Frameworks and Languages That HelpThe choice of programming language and framework can impact the overall security of your application, in this session we’ll discuss how to evaluate a language/framework and those that we thing are worth considering.

Extending the PerimeterWhat else can we do to secure our applications? In this part of our training we’ll look into the use of APIs, web application firewalls (WAFs) and hardening the server environment.

Next-Gen ToolsWe’ll wrap-up our training by looking into the latest in testing tools, frameworks and where web application technology is heading.